Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1081
Views
15
Helpful
3
Replies

Compatibility of IOS XE 3.6.8E on 3850's with ISE 2.4

Go to solution
espanou
Cisco Employee
Cisco Employee

‎02-22-2019 05:46 AM - edited ‎03-08-2019 07:13 PM

Hi ISE team,

 

New to SEC, so please bare with me :)

 

In the ISE 2.4 compatibility document below (Table 2), it is stated that IOS XE 3.6.5E and IOS XE 3.6.7E releases on 3850 have been validated with ISE 2.4, which means they have been tested for compatibility and stability.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html

 

The partner tied to my customer has done the check for various bugs (see list below), and they have reached the conclusion that the IOS version on the 3850's that would fix those bugs would be IOS XE 3.6.8E.

 

Q1: Would the IOS XE 3.6.8E on the 3850's be compatible with ISE 2.4 (not mentioned in compatibility matrix)? Could we officially claim that it would work with no issues?

 

Q2: The 3850's are already on the minimum IOS release required for ISE 2.4. What is the real value we would be getting by updating to a validated OS version? Less likely to encounter any issues? Would TAC ask the customer to upgrade to the validated version if there is indeed any issue?

 

Q3: How come the validated IOS XE 3.6.5E and IOS XE 3.6.7E releases on 3850 have security warnings against them?

 

Thank you for your help,
Eirini
 
BUG LIST

CSCur34138

Headline: Memory leak Process= NGWC SPI Async Response

CSCuz11275

Headline: 4500 Switch Crash after Enabling Performance Monitoring

CSCvc47165

Headline: SFP port detect link-flap error and it's in error-disabled state on 3650

CSCve37653

Headline: 4500 in RPR causing SNMP Input queue full errors and eicore timeouts

CSCvf02423

Headline: C4500 - 03.06.06.E / 15.2(2)E6 - High CPU due to KxAclPathMan reprogr, KxAclPathMan update

CSCvf59705

Headline: ARP packets dropped silently on 3850

CSCvf61452

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-22-2019 09:48 AM

Hi,

Yes it should work technically. Not being listed or validated doesn't mean
that it won't work. It just means that they didn't confirm the availability
of any bugs which can impact operations. I have seen some images behaving
strange with dot1x (even though they listed as validated by Cisco). It all
depends on what are all feature sets enabled on the switch such as
energywise, dot1x on phones, vrfs, etc.

dot1x it self is straight forward but the combination of features enabled
can trigger bugs.

View solution in original post

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to espanou

‎02-25-2019 02:33 AM

It depends on the problem your customer faces. If its a configuration error or tuning then TAC can perform this on the same XE code. However, if they see unexplained pattern then they will recommend new XE.

View solution in original post

3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-22-2019 09:48 AM

Hi,

Yes it should work technically. Not being listed or validated doesn't mean
that it won't work. It just means that they didn't confirm the availability
of any bugs which can impact operations. I have seen some images behaving
strange with dot1x (even though they listed as validated by Cisco). It all
depends on what are all feature sets enabled on the switch such as
energywise, dot1x on phones, vrfs, etc.

dot1x it self is straight forward but the combination of features enabled
can trigger bugs.

Go to solution
espanou
Cisco Employee
Cisco Employee
In response to Mohammed al Baqari

‎02-25-2019 02:10 AM

Hi Mohammed,

 

Thank you for your response, it is quite helpful. 

 

What I understand is that the 3.6.8E image on the 3850's should work with ISE 2.4, but Cisco has not tested that image to validate absence of bugs. As an official recommendation, I believe it makes sense to let the customer know that they could move to 3.6.8E, but we cannot guarantee no bugs relating to ISE. Therefore, there is risk involved, also considering the combination of features enabled on the switches. 

 

I was wondering what happens as it relates to TAC support. Would they ask the customer to move to an ISE 2.4 IOS validated version, if the customer encounters any issues while running a non-validated IOS version on the 3850's?

 

Best regards,

Eirini

 

 

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to espanou

‎02-25-2019 02:33 AM

It depends on the problem your customer faces. If its a configuration error or tuning then TAC can perform this on the same XE code. However, if they see unexplained pattern then they will recommend new XE.
Customers Also Viewed These Support Documents